File not found – C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG

When you want to troubleshoot SceCli events with event ID 1202 you need to run the command :

FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

In some cases there will be an error because the winlogon file does not exist :

“File not found – C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG”

To enable the creation of the winlogon.log file we need to edit the registry.

Start the Registry Editor and change the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Click the key ExtensionDebugLevel and change the value to 2.

Default Value is 0

Now refresh you GPO, GPupdate /force.

Now it’s possible to Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I “Cannot find” %SYSTEMROOT%\Security\Logs\winlogon.log

The string following “Cannot find” in the FIND output identifies the problem account names.

ddd

No mapping between account names and security IDs was done.
Cannot find gmsa.
Configure S-1-5-21-232029976-1651249474-311576647-2322.

Import-Module ActiveDirectory
Get-ADUser -Identity S-1-5-21-232029976-1651249474-311576647-2322

or via WMIC

wmic useraccount where sid="S-1-5-21-232029976-1651249474-311576647-2322" get name

Leave a Reply

Your email address will not be published. Required fields are marked *